Support

The consumer fights back

New data protection laws and what they mean for the call centre

Unify Issue 4

So far only the fin­­­ancial industry has faced heavyweight regulation on record keeping. Now punitive new EU law is set to clamp down on every business trading by phone.

The thicket of regulations and directives that already surrounds call centre activities is soon to become denser still with the coming into force in 2018 of the General Data Protection Regulation (GDPR) and MiFID II directive.

GDPR has implications for all organisations that collect information about customers resident in the EU, while MiFID II (Markets in Financial Instruments Directive II) applies only to financial services operations involved in the trading of investment market products such as derivatives, commodities, bonds and complex products like credit default swaps and collateralised debt options.

Both rulings are creatures of the EU; both can be expected to have force in the UK following Brexit, whatever leaving the EU eventually looks like. Both make new demands that will compel organisations to review and heavily revise the ways in which they gather and preserve for later examination evidence of the way they go about their activities.

MiFID II might be characterised as a bolting of the stable door after the financial crash of 2008, aimed as it is at regulating the sale of the kind of complex financial products that led to the meltdown.

GDPR is something rather different – a legal framework that aims to restore to citizens some of the control they once had over the propagation and use of their personal data. It is a reset of the relationship between corporations and their citizen customers. Before GDPR, customer information was increasingly ‘owned’ by the acquiring corporations. They could do what they wished with it. When GDPR took effect, the power shifted back to the individual. Companies are no longer able to behave as if they own the data; they have it on explicitly consented loan, and need to prove they are worthy of trust in order to retain it. If they lose personal data, or allow unlawful or accidental access to it, then they must report the incident to their in-country information commissioner within 72 hours.

GDPR is something rather different

a legal framework that aims to restore to citizens some of the control they once had over the propagation and use of their personal data

Global reach

GDPR will have global effect, radical though this sounds. It will protect the data of EU citizens, wherever in the world they reside, or wherever their data is kept or used. Moreover, it will extend beyond the primary organisation to all partners in the value chain. Each of them will be obligated under GDPR to check that they themselves are compliant with the directive and, further, to ensure that the entities they interact with are compliant too.

The penalties available under GDPR are also of a different order of magnitude, at up to four percent of global turnover. If the UK’s information commissioner had been working under GDPR in 2015 then the £400,000 fine levied on TalkTalk for its customer data breach could have been as high as £72 million. The obligation to report data breaches within 72 hours leaves organisations with no real hiding place.

Previously, some organisations might have thought that toughing it out and saying nothing was the pragmatic response to a data breach. If the news eventually leaked out, then the resulting fine was not going to have a major impact on the bottom line. Now however, trying to cover up a breach will likely result in an even stiffer eventual penalty. Moreover, the possibility of private claims is higher because class action and no-winno- fee law suits will find it easier to convince courts of non-compliance with GDPR’s specific elements.

That was then, this is now

Wind back in history 200 years, and business was transacted by spoken word and by written correspondence. Today, business communication channels are rather more complicated. Face to face contact and letter writing persist, but have taken a back seat to telephony, email and video links such as Skype. This, then, is the multi-channel environment that GDPR seeks to regulate.

As with previous and existing regulations and directives, neither GDPR or MiFID II are prescriptive about the technology that enterprises must deploy in order to prove compliancy. The what of compliancy is set out, but the how is left to the organisation to determine.

Gary Dudbridge, a telecoms consultant, previously head of telecommunications architecture for a tier 1 international bank, says this lack of prescription is typical and deliberate; not intended to give organisations rope on which they can hang themselves, but crafted so that they are not forced to deploy technology that might be quite inappropriate for their business model or the size of their operation.

Regulations and directives tend to be tested through fines, test cases and ultimately litigation. They are deliberately open to interpretation. They might say you have to keep a record of something, but not tell you how. As a sole trader gathering customer data you might be able to argue successfully that keeping a paper record of transactions is adequate, but a call centre of a major bank, for example, will be expected to be able to provide a complete electronic after-the fact reconstruction of every multi-channel interaction. That means recording and being able to quickly retrieve email, web chat and collaboration Blackberry messages, SMS, land line and mobile – perhaps dual SIM – voice calls, and even Skype or FaceTime too. Anything that is evidential will be regarded as material.

Gary Dudbridge

New citizen powers

Significantly, GDPR doesn’t just give regulators a new bite, but also empowers citizens to view the information corporations hold about them, to request that incorrect information is changed, and to give their permission for, or to opt out of, ways in which their personal information might be used.

To prove compliance, organisations will have to demonstrate that they have in place effective programmes for the promotion of appropriate soft skills, such as induction, ongoing training and monitoring of staff.

But, inevitably, the primary burden of compliancy will have to be carried by automation. This is not just because of the complex multi-channel nature of the required audit trail, but because the enhanced empowerment of citizens provided by GDPR means companies must ensure they are able to respond in a timely and accurate way to requests from members of the public. Putting in place technology that allows this to be handled in an interactive self-service way will, for most organisations, be the only affordable and practical route to compliance with this particular element of GDPR.

The silver lining

It would be quite wrong to characterise GDPR as all pain and no gain. It is a certain bet that all call centres, even the smallest, are already using voice recording systems to ensure compliance with current regulations. An equally certain bet is that most if not all are taking advantage of the embedded technology to enhance staff training, and using it as an aid in dispute resolution. For some, voice recording is a useful component in a fraud prevention strategy.

With GDPR comes the requirement to gather and preserve for rapid analysis records of all interactions with customers, adding to telephony the further channels of email, text, and video. For anything larger than a one or two-person inbound or outbound call centre, this brings a significant technical challenge, but organisations that meet it successfully will build greater trust with their customers and be in a position to turn those better quality relationships into new revenues. Compliance with GDPR will of course mean that customer permission must be sought for information to be used for marketing, but the capturing of multi-channel exchanges will create a rich stream of data that smarter and better equipped organisations will mine for marketing, sales intelligence and fraud prevention purposes.

As we have noted, GDPR and MiFID II compliance is not optional. Therefore the essential choice now facing organisations that deal with customer information is how they achieve it. For most companies new technology will be required, and from that flows the question of which deployment model is to be adopted – that of on-premises equipment or third-party services delivered from the cloud.

Many organisations will conclude that given the multi-channel complexity of the task, the on-premises model has had its day. Steep up-front capital expenditure, combined with the operational costs of office real-estate and specialist in-house staff will drive a lot of organisations to look seriously at the cloud alternative.

Managing the technology required to achieve compliance is going to be a major test.

It’s clear that the hosted model has a lot going for it. In an ecosystem as rich as the call centre the cost of owning, operating and maintaining on premises equipment is formidable.

The solution provides the toolset needed for organisations to achieve compliance with the voice elements of GDPR, MiFID II and other related legal and regulatory requirements. As well as shifting all recording costs from capex to opex, and providing a single portal for all call recordings, the solution stops all payment card data from entering the user-organisation’s IT environment, removing a major source of potential risk. Recordings are stored in the only VISA Europe approved solution currently available.

Gary Dudbridge comments:

How organisations manage the technology required to achieve compliance is going to be a major test and it’s clear that the hosted model has a lot going for it. In an ecosystem as rich as the call centre the costs of owning, operating and maintaining on premises equipment are formidable. There’s also the task of integrating with other systems such as customer relationship management desktops.

Every time a new software version is released, the organisation has to create a project to upgrade and prove compatibility with the entire ecosystem. Move it into the cloud, and someone else takes the pain and has to get out of bed in the dead of night when something breaks. Add to that the ability to scale up and scale down at will in response to market changes and you have a compelling proposition.